August 30, 2011
Due to the Hurricane, we are publishing a Career Advice Tuesday that we wrote for Tech Target – and our monthly advice column. Below you will find the unedited version of our column.
Dear InfoSec Leaders:
I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.
One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.
As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.
I’d appreciate any words of wisdom you can send my way.
“Fork in the Road”
Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.
Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed. Our answer is based on the following reasons, that coincide with your long term career goal.
1) The group is newly formed
When someone tells us this, the first thing that comes to my mind is opportunity. Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas. The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with the framework to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.
2) Retail experience should be valuable in the future
Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs. Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years. Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.
3) Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise. However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point. For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment. Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay. You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.
Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.
If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.
Good luck in making your decision.
Lee and Mike
August 23, 2011
This career advice Tuesday is an article that we wrote for Tech Target and Information Security Magazine July issue- the article tackles the subject of how to determine the market value of your skills.
“Your Information Security Career and the Job Market” — Tech Target – July 2011 – Editor Michael Mimoso
Working as an information security recruiter and career advisor, many of my conversations begin with the question, “How is the market?” While the question at face value appears to be simple, the answer is complex, and greatly dependent on variables uniquely associated with the individual.
Information security professionals possess many different skill combinations. Some refer to themselves as generalists, having broad knowledge that includes technical, organizational and management skills. Others categorize themselves as specialists or subject matter experts who have deep expertise in a discipline such as penetration testing, network security, application security or forensics. Just as there are a variety of skills profiles, there are a variety of markets for these individuals and their information security career. These markets are driven by two external factors: broader-based technology trends, and locally based corporate and industry trends. Broader market trends for information security professionals often involve the emergence of new technology trends that drive demand for specific talent. Technical trends enhance the market for subject matter experts and have little effect on generalists.
The emergence and importance of Web-based applications is an example of a recent business trend driving the market for Web application penetration testers. The emergence of this broader market force drove up the value and demand for information security professionals with these specific Web application testing skills and technical foundations, and, conversely, drove down the demand and compensation for traditional network penetration testers. (Understand that a global trend will rarely affect industry-leading talent.) Traditional network penetration testers who recognized this and were capable of learning Web application testing skills were able to make the adjustment and create additional value because of their skill blend. In turn, they created a secondary market, based on their skill combination. On the other hand, traditional network penetration testers who decided not to adapt or were not capable, have seen the market for their skills shrink dramatically.
Currently, some of the emerging global information security technology trends include the implementation of security information and event management tools, data loss prevention tools, cloud computing, software security and protecting company’s against advanced persistent threats. In all of these skill disciplines, there are more ongoing projects than there are competent security professionals to execute upon them. Information security professionals who have documented successful experience with these technologies currently have the luxury of a strong employment market.
Another prime market driver for information security professionals are industry trends. Over the last few years, companies have become more exposed to the consequences of not protecting their data and their customer information. Through breach notification legislation, regulations (primarily PCI DSS), hacktivism and the media, information security concerns have moved to the forefront of many businesses that have never properly invested in the development of an information security program.
When companies begin to formally commit to the construction of an information security program, or make the decision to upgrade their existing programs, professionals with broader information security skills generally stand to benefit. In these types of scenarios, companies are most concerned about securing their businesses and managing risk, and are prone to hire information security leaders who can help ingrain information security into the fabric of the business. Information security professionals who have specific industry knowledge, and excellent communication skills, generally can benefit from these situations.
Broader forces influence the market at large for information security professionals, but the individual determines their career market. Although skills are the most important component to the equation, it is the personal factors that ultimately play an equal role in determining the market for your skills. Many times, in order to advance your information security career and maximize your skills, you need to be willing to make some sacrifices that include travel, additional commuting and relocation. Many information security professionals find there is a market for their skill, but the required personal sacrifices prohibit them from recognizing the market opportunity.
If I had to answer the initial question, I would say the overall market for information security professionals is quite healthy. The combination of the pent up demand created by the economic slowdown and the continued emergence of information security as a business enabler and differentiator, has provided a rebirth of opportunity for highly skilled information security professionals. However, many of these newly created positions come with increased personal demands, including long work hours, extensive travel and a high level of scrutiny.
As in the past, you are the determining factor for the market for your skills. Competition, both in the present and the future, will continue to increase, and the proactive management of your information security career, through continued skill development and by making strategic career investment, is the only way to insure the market for your skills remains strong.
Love to hear your thoughts.
Lee and Mike
Posted by lee | Filed Under Uncategorized | Comments Off
August 16, 2011
I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this. Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.
It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.
Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it.
Thanks guys and unique blog for the infosec community.
To be candid, I had to look at your question a number of times before I was able to formulate a response. It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing. In addition, you would like to know why others are successful, and why some (you) can’t seem to get off the ground.
First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting. When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability. Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company. It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.
Another essential component of any business (and career) is the ability to sell and market ones services and one’s self. It is this skill that often separates the successful from the remainder of the pack. Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success. Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.
Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.
I have learned over the years that business is about surrounding yourself with great people who compliment your strengths. Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents. Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.
Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.
In closing, our note does not mean to come across as harsh, but it is meant to be direct.
Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.
Hope this helps,
Lee and Mike
August 9, 2011
Having just returned from Black Hat, we thought it would be good to utilize Career Advice Tuesday to provide our readers with some observations and what it means to you and your career as an information security professional.
1) Our industry has a short memory
Not too long ago, Mike and I were sitting together putting together the “Career Incident Response” Podcast series, because there were so many information security professionals who were getting outsourced, downsized, or laid off. How quickly things have changed. Prior to a the conference an article by Information Security Media Group claimed 0% unemployment and during the event the NSA announced it was going to use DefCon as a job fair as an attempt to hire 1500 information security professionals. Walking the trade show floor, Amazon.com dedicated their booth to recruiting members for their team, and many of the booths had signs that said “we are hiring”.
While we do not believe that there is 0% Infosec unemployment or that the audience at DefCon will have an easy time passing the NSA Background Check requirements, we do believe that the employment market is increasingly healthy. During the conference itself, I (Lee) personally had meetings with over 15 new entities (corporations, service providers, product companies) who would like to attempt to engage LJ Kushner & Associates’ services to help them recruit information security talent.
It is my belief that all of the recent events have awakened many to the fact that information security needs to be an element of their business and that hiring the right talent is a great challenge.
2) We Don’t Have A Quantity Problem, We Have A Quality Problem
Without question employers need to hire information security professionals. It is also clear that by the attendance at both Black Hat and DefCon, there are plenty of folks who are either information security professionals or who have an interest in becoming information security professionals. So, if that is the case, what is the issue – the hiring needs should be solved – but they are not.
What many do not understand is that there is a big difference between “people” and “talented people”, and there is bigger difference between a “job” and a “quality job”.
Information security professionals are operating under the misconception that just because they are in the field of infosec, that they are qualified for many of the positions that companies are looking to fill. The fact is, that although many information security pros are more than qualified to perform their same job at a different company, they are not viewed as qualified for information security opportunities that can be viewed as a “step-up” and will advance their careers. The main reason behind this is the lack of investment in their professional development beyond standard industry certifications.
On the flip side two things are happening. First, the positions that many company’s are advertising for are viewed by many information security professionals as “dead end” jobs, that on the surface do not provide the growth and career advancement opportunities that many are looking for. Secondly, when companies are looking for more talented and experienced professionals, they are creating job descriptions that require complex skill combination and experience requirements, without offering compensation packages that are consistent with their requests and reflect a “risk/recruitment” premium for the applicants that they are searching for.
Therefore their junior level roles go unfilled because no one wants them, and their senior level roles go unfilled because their skill requests lay outside their budget.
Something has to eventually give in this process – or the information security talent myth will continue to grow.
3) Outside Market Conditions and Industry Events Will Have An Effect on our Future
While we were attending BlackHat, the United States extended our debt ceiling, and then on Thursday, the stock market plummeted 500 points, which was followed on Monday with another 600 point decline.
We both do not claim to know anything about the stock market, but there is no question that if the world slips back into a global recession, the information security industry is not going to be immune to its effects. Now is the time for information security professionals to take a pro-active approach to insuring that that they do not become collateral damage if the economy begins to deteriorate.
The only sure way to insure your career is to continue to build your skills, stay current with technology, and demonstrate our value to your current employers. Now that times are good, and we are in demand, it is time to take advantage of the situation, and use your current role as a platform to exhibit your skills, your impact and your knowledge.
If any one of our readers have their own information security career observations from Black Hat, it would be great to hear from you.
Lee and Mike
August 4, 2011
From my three days in Las Vegas, I am clear about one thing – there is an increasing demand for quality information security professionals and companies are having a very difficult time attracting Information Security professional to their teams.
On the surface, that should be great news. However, with choices come decisions. With decisions come mistakes. It is our goal at Infosecleaders, to provide you with information and frameworks, to minimize your risks, and maximize your rewards!
Thanks to Jeff, Ping, and the folks at Black Hat, today we have a platform to do this.
This afternoon, at the Black Hat Briefings in the Florentine Room – Mike and I are going to share our collected data on InfoSec Certifications (The Value of Cert Survey), help you beat out your competition for the “Good Jobs” (Second Place Sucks), provide you with a road map for developing your “future skills” (Infosec Leader of the Future), shed insight into the real world of hiring, recruiting, and interviewing (The Other Side of The Desk), and provide an open forum for you to ask your Information Security Career Questions (Career Advice Tuesday – Live – (in Vegas, it is always someone’s Tuesday).
Schedule- Florentine Room
1:45 – 3PM – Value of Certification Results & Second Place Sucks
3:15 – 4:45PM – InfoSec Leader of the Future & Other Side of the Desk
4:45 – 6PM – Career Advice Tuesday Live and Predictions for the Future
We hope that if you are attending Black Hat, you choose to spend some of your afternoon with us, and take something away from the conference that you can apply to your professional growth and career development.
Look forward to seeing you,
Lee and Mike
August 2, 2011
The other day I learned that my information security program will be going through a reorganization.
The good news is that as a result, I am receiving increased responsibility, visibility and exposure. The bad news is that I am getting more work, more headaches, and I am not receiving any additional compensation.
Needless to say, I am angry.
I really like my employer, but I consistently fight battles with management and human resources about my compensation. Last year I received an “over market” increase (according to HR), which from my perspective was underwhelming, and did not reflect may contributions. When I brought them “data” about compensation, they dismissed it.
Here I am again. The pattern is repeating itself. I am planning on putting my thoughts down in writing, in a very direct letter to both may management and human resources, documenting and reflecting my feelings.
Do you approve of this approach?
Before you decide to put your thoughts down in paper or in an e-mail, you need to ask yourself, “How good of a writer am I?” By writing a note, your thoughts are going to be contained forever, and can always be referenced. If your note takes an angry tone, it can be viewed as a line in the sand to your current manager and employer, and it can force an action – which may or may not be worth the risk.
Personally, I believe that you should express your opinions verbally, in a meeting setting with both your manager and human resources present. I think that you should set the tone of the meeting, by first letting them know that you appreciate their recognition of your contributions, by providing you with additional responsibility.
Once this point is conveyed, you should let them know that your expectation would be that once your prove yourself in this new capacity, that you be compensated commensurate with others across the organization who hold the same titles and responsibility. During this meeting, you should ask your manager to establish specific metrics on how your performance will be evaluated. In front of HR, you should ask for a follow up meeting so that these can be reviewed, and set up a timetable for an initial review (6 months may be ample time). In these 6 months, you should work your butt off, to overachieve, to show them that they made the correct choice in giving you this opportunity.
By handling it this way, you are demonstrating maturity in your approach. It is a common mistake for people to ask for money once given an “opportunity”, but the fact is that the extra money is earned once you prove that you can perform at this newly elevated level.
When the review cycle comes around, one of two things will happen – you will either be happy with you new position and increase, or your will be polishing off your resume, looking for an employer that appreciates your experience and newly learned skills.
Hope this helps,
Lee and Mike